UK Water Utility’s 2 Year Cyber Breach Exposes Critical Infrastructure Failures

A British water utility serving 1.6 million people unknowingly hosted cybercriminals inside its own network for nearly two years and only stumbled upon the breach because computers started running slowly.

South Staffordshire Water's nightmare began quietly in September 2020, when an employee did what millions of people do every day: opened an email attachment. That single click handed the notorious Cl0p ransomware gang a skeleton key to the company's entire corporate network.

What followed was a masterclass in patience. The attackers didn't smash and grab. They waited lurking silently for over a year and a half, watching, mapping the network, biding their time. It wasn't until May 2022 that they made their move, sliding into a domain administrator account ,essentially the keys to the kingdom and roaming freely across systems without raising a single alarm.

The company only caught on in July 2022, and only because IT staff noticed the network was sluggish. An internal investigation followed. Two weeks later, they found a ransom note the attackers had already tried  and failed to deliver to staff. The criminals had come, stolen everything, and nearly left without anyone noticing.

What the Hackers Walked Away With

By the time it was over, roughly 4.1 terabytes of data had been published on the dark web, exposing the personal details of 633,887 customers and employees,  names, addresses, dates of birth, bank account numbers, National Insurance numbers, and for some of the most vulnerable customers, information that could reveal disabilities.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), has now fined the company £963,900 (~$1.3 million), and its findings paint a damning picture of cybersecurity negligence.

A Perfect Storm of Failures

The ICO identified failures that cybersecurity professionals would consider basic hygiene:

• Skeleton crew monitoring: As late as December 2021, more than a year into the breach, an outsourced security team was watching just 5% of the company's IT environment. The rest was essentially unguarded.

• Ancient software: Some machines were still running Windows Server 2003, an operating system Microsoft stopped supporting back in 2015.

• Zero vulnerability scanning: When regulators asked for records of any security scans conducted during the breach window, the company confirmed none existed.

• An unpatched critical flaw: Two key servers remained vulnerable to ZeroLogon, a critical exploit capable of instantly seizing full system control,  a flaw publicly disclosed in August 2020, the same month as the attack's initial access. The hackers used it.

• No least-privilege controls: Rather than limiting what each user account could access, the company allowed a compromised administrator account to roam the entire network unchallenged.

As ICO's Ian Hulme bluntly put it: "Waiting for performance issues or a ransom note to discover a breach is not acceptable."

The Blunder That Blew the Cover

The breach went public in a particularly chaotic fashion. When Cl0p tried to extort a ransom, they accidentally named the wrong water company, claiming they'd hit Thames Water, which supplies 15 million Londoners. The group also boasted they could alter the chemical composition of the water supply, a claim South Staffordshire flatly denied. Regulators found no evidence of any compromise to actual water treatment systems.

Despite the drama, South Staffordshire cooperated fully with regulators, admitted liability early, and accepted a 40% discount on its fine through voluntary settlement.

The Bigger Picture

This incident isn't an isolated embarrassment, it's a warning. Cyberattacks on British water suppliers hit a record high between 2024 and 2025, with five incidents reported in that window alone. Yet under current rules, companies only need to report attacks that actually cut off water supplies, meaning a great deal of lurking, stealing, and ransoming can happen entirely below the regulatory radar.

The UK government's Cyber Security and Resilience Bill, which would force broader reporting and tougher standards for critical infrastructure, is expected in Parliament this year, not a moment too soon.